[PATCH v2] accel/qaic: Fix integer overflow in qaic_validate_req()

From: Dan Carpenter
Date: Fri Mar 07 2025 - 03:42:04 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH v3 1/3] dt-bindings: leds: Add LP5812 LED driver"
Previous message: Xianwei Zhao: "Re: [PATCH v3 2/4] irqchip: Add support for Amlogic A4 and A5 SoCs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

These are u64 variables that come from the user via
qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that
the math doesn't have an integer wrapping bug.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
v2: use check_add_overflow() instead of open coding a check

drivers/accel/qaic/qaic_data.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/accel/qaic/qaic_data.c b/drivers/accel/qaic/qaic_data.c
index c20eb63750f5..631e401fbe4a 100644
--- a/drivers/accel/qaic/qaic_data.c
+++ b/drivers/accel/qaic/qaic_data.c
@@ -554,6 +554,7 @@ static bool invalid_sem(struct qaic_sem *sem)
static int qaic_validate_req(struct qaic_device *qdev, struct qaic_attach_slice_entry *slice_ent,
u32 count, u64 total_size)
{
+ u64 total;
int i;

for (i = 0; i < count; i++) {
@@ -563,7 +564,8 @@ static int qaic_validate_req(struct qaic_device *qdev, struct qaic_attach_slice_
invalid_sem(&slice_ent[i].sem2) || invalid_sem(&slice_ent[i].sem3))
return -EINVAL;

- if (slice_ent[i].offset + slice_ent[i].size > total_size)
+ if (check_add_overflow(slice_ent[i].offset, slice_ent[i].size, &total) ||
+ total > total_size)
return -EINVAL;
}

--
2.47.2

Next message: Krzysztof Kozlowski: "Re: [PATCH v3 1/3] dt-bindings: leds: Add LP5812 LED driver"
Previous message: Xianwei Zhao: "Re: [PATCH v3 2/4] irqchip: Add support for Amlogic A4 and A5 SoCs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]